0

I have a problem with a project made with PHP and MySQL. I want to delete a row from my document but I can't. It's very strange because when I click my button delete, he goes to index.php but it doesn't delete the row from the database.

if(isset($_POST['delete'])){
    $sql = "DELETE FROM account WHERE idAccount = '".$id."'";
    $result = $conn->query($sql);
    header("location: index.php");
}
pazz98
  • 73
  • 1
  • 9
  • where is `$id` defined? – Professor Abronsius Jan 24 '19 at 10:37
  • of course isn't a problem of connection or that i don't have a record with idAccount = $id – pazz98 Jan 24 '19 at 10:37
  • 9
    Have you tried checking for SQL errors? There is a quote behind your ID, but not in the front – Nico Haase Jan 24 '19 at 10:38
  • My idea is that when i go to phpmyadmin and i do a delete query, the site ask me a confirm before delete the record, how can i go away from this? – pazz98 Jan 24 '19 at 10:38
  • 2
    Your code is vulnerable to sql injection - you ought to use `prepared statements` in either `mysqli` or `PDO`... `PHPmyAdmin` is simply a web based GUI for administration of your `mysql` database – Professor Abronsius Jan 24 '19 at 10:41
  • 2
    phpMyAdmin is just an interactive tool, the database is MySQL. The confirmation is an extra check in the tool, it doesn't come from the database, and it shouldn't affect your script. – Barmar Jan 24 '19 at 10:42
  • Are you sure you're setting `$id` correctly? You should check whether the query is successful with `$result = $conn->query($sql) or die($conn->error);` – Barmar Jan 24 '19 at 10:43
  • yes, isn't a problem of $id, i use it in other query and i have no problem with this, i don't know why it hasn't copy the backtick before $id but there is, isn't a sintax error – pazz98 Jan 24 '19 at 10:46
  • remove `'` after `".$id."` – Davide Jan 24 '19 at 10:46
  • At least, the OP should start looking for his own way of checking for such errors. Additionally, I've flagged this question to be closed for this simple typo – Nico Haase Jan 24 '19 at 10:50
  • 1
    Anyway, every answer is potentially wrong. We don't know if `idAccount` is an `INT` or `VARCHAR`. (`idAccount` cound be generated with `UUID()`) – Cid Jan 24 '19 at 10:51
  • @pazz98 so, if in your original code, you **have** a quote before and behind the ID, you should start searching for a way to read the error messages your database server provides – Nico Haase Jan 24 '19 at 10:52
  • If you leave the query error as it is, and set error checking as above, if you dont get an error then this code is not being reached – RiggsFolly Jan 24 '19 at 11:12

2 Answers2

-1

Try this, you have inserted ' after ".$id."

if(isset($_POST['delete'])){
    $sql = "DELETE FROM account WHERE idAccount = ".$id."";
    $result = $conn->query($sql);
    header("location: index.php");
}

or

if(isset($_POST['delete'])){
    $sql = "DELETE FROM account WHERE idAccount = '".$id."'";
    $result = $conn->query($sql);
    header("location: index.php");
}
Rohit Ghotkar
  • 803
  • 5
  • 17
Davide
  • 566
  • 3
  • 13
-2

As @nico-haase already mentioned your statement is wrong:

$sql = "DELETE FROM account WHERE idAccount = ".$id."'";

evaluates to (check the trailing quote): DELETE FROM account WHERE idAccount = NUMBER'

Additionally I agree @ramraider that it's one big sql injection here. You should sanitise your input at minimum (int $_POST['id']) or use PDO at best.

sznowicki
  • 1,351
  • 5
  • 16
  • 33